[Zope-dev] Removal of aq_acquire from guarded_getattr

Stefan H. Holek stefan at epy.co.at
Fri Jan 21 11:51:33 EST 2005


The bug:
http://zope.org/Collectors/CMF/259

The fix:
http://mail.zope.org/pipermail/zope-checkins/2004-August/028152.html

This effectively changes how acquisition works in restricted Python. I 
understand this may well be the point <wink>.

The consequences:
Zope sites experiencing seemingly random Unauthorized errors. [1]

I have added tests to the AccessControl suite on 2.7 branch that 
demonstrate the new behavior. Note that all of them pass in Zope 2.7.2.

What it _appears_ to mean is that when a container denies access, the 
object security of the acquiree is checked. Therefore, a potential 
acquiree (read: _any_ object) must make sure to declareObjectProtected 
or it may end up not being acquirable. This is not always the case in 
current Zope/CMF/Plone which would explain the Unauthorized errors we 
see.

Tres, I am happy to discuss this further once you had a look at the 
tests. I also have tests for the CMF in case you want them.

Stefan

[1]
http://zope.org/Collectors/CMF/318
http://zope.org/Collectors/Zope/1654
http://zope.org/Collectors/Zope/1669
http://plone.org/collector/3682


--
The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is.               /Pete McBreen/



More information about the Zope-Dev mailing list